Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP® Network and System Management Guide: 12 - Configuring Packet Filters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


12

Configuring Packet Filters


Introducing packet filtering

Packet filters enhance network security by specifying whether a BIG-IP® system interface should accept or reject certain packets based on criteria that you specify. Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only.

You implement packet filtering by creating packet filter rules, using the Configuration utility. The primary purpose of a packet filter rule is to define the criteria that you want the BIG-IP system to use when filtering packets. Examples of criteria that you can specify in a packet filter rule are:

  • The source IP address of a packet
  • The destination IP address of a packet
  • The destination port of a packet

You specify the criteria for applying packet filter rules within an expression. When creating a packet filter rule, you can instruct the Configuration utility to build an expression for you, in which case you need only choose the criteria from predefined lists, or you can write your own expression text, using the syntax of the tcpdump utility. For more information on the tcpdump utility, see the online man page for the tcpdump command.

Note

Packet filter rules are unrelated to iRulesTM.

You can also configure global packet filtering that applies to all packet filter rules that you create. The following sections describe how to set global packet filtering options, and how to create and manage individual packet filters rules.

Configuring global settings

Global settings for packet filtering are divided into two categories: Properties and Exemptions. The BIG-IP system applies global settings to all packets coming into the BIG-IP system. You can configure these settings using the Configuration utility. Note that only users with the Administrator user role can configure global settings for packet filtering.

Important

Note that one of the global settings, Packet Filtering, enables packet filtering. When you disable this setting, no packet filter settings or packet filter rules operate, and the BIG-IP system allows all traffic by default.

To configure global settings

  1. On the Main tab of the navigation pane, expand Network, and click Packet Filters.
    The Packet Filters screen opens.
  2. From the Packet Filtering list, select Enabled.
    This displays additional settings.
  3. Note: See Important note preceding this procedure.

  4. Configure the values for all properties and exemptions.
    For detailed information on the global properties and exemptions, see Configuring global properties , following, and Configuring exemptions .
  5. Note: Before configuring the Unhandled Packet Action setting, see the warning information in Controlling unhandled packets .

  6. Click Update.

Configuring global properties

You can configure three specific global properties for packet filtering. Table 12.1 lists and describes the properties you can set for global packet filtering. Following the table are more detailed descriptions of these properties.

 

Table 12.1 Global packet filtering properties
Property
Description
Default Value
Packet Filtering
Indicates whether the packet filtering feature is enabled or disabled.
Disabled
Unhandled Packet Action
Determines how the BIG-IP system handles packets that do not match any packet filter rule.
Accept
Options
Provides two options that you can set on packet filtering. You can filter established connections, and, when the packet filter rule rejects a packet, you can instruct the BIG-IP system to send an ICMP administratively prohibited error instead of a connection refused error.
Disabled (unchecked)

 

Enabling packet filtering

Before you can implement packet filtering on the BIG-IP system, you must enable the packet filter feature. You do this by changing the Packet Filtering setting to Enabled. The default setting for packet filtering is Disabled.

Controlling unhandled packets

Sometimes a packet does not match any of the criteria that you have specified in the packet filter rules that you have created. For this reason, you must configure the Unhandled Packet Action property, which specifies the action that the BIG-IP system should take when the packet does not match packet filter rule criteria.

Possible values for this setting are Accept, Discard, and Reject. The default value is Accept.

Warning

Changing the default value of the Unhandled Packet Action property can produce unwanted consequences. Before changing this value to Discard or Reject, make sure that any traffic that you want the BIG-IP system to accept meets the criteria specified in your packet filter rules.

Specifying other options

Using the Options property, you can configure two other options:

  • Filter established connections
    When you enable (check) this option, the BIG-IP system filters all ingress packets, even if the packets are part of an existing connection. The default setting is disabled (unchecked). Note that checking this option does not typically enhance security, and can impact system performance.
  • Send ICMP error on packet reject
    When you enable (check) this option, the system sends, an ICMP type 3 (destination unreachable), code 13 (administratively prohibited) packet when an ingress packet is rejected. When you disable (uncheck) this option, the BIG-IP system sends an ICMP reject packet that is protocol-dependent. The default setting for this option is disabled (unchecked).

Configuring exemptions

There are a number of exemptions you can set for packet filtering. When filtering packets, the BIG-IP system always applies these exemptions, effectively overriding certain criteria you might have previously set within an individual packet filter rule.

Table 12.2 lists and describes the exemptions you can set for packet filtering. Following the table are descriptions of each setting and information on how to configure them. For the basic procedure on configuring these exemptions, see To configure global settings .

 

Table 12.2 Global packet filtering exemptions
Exemption
Description
Default Value
Protocols
Specifies whether the packet filter should always accept ARP or important ICMP traffic.
No default value
MAC Addresses
Specifies which MAC addresses to always allow. Selecting Always Accept allows you to specify one or more Mac addresses.
None
IP Addresses
Specifies IP addresses to always allow. Selecting Always Accept allows you to specify one or more IP addresses.
None
VLANs
Specifies which ingress VLANs to always allow. Selecting Always Accept allows you to specify one or more VLANs.
None

 

Specifying protocols as exemptions

With the Protocols setting, you can specify whether ARP and certain ICMP messages are exempt from packet filtering. The individual settings are:

  • Always accept ARP
    When you enable (check) this setting, the system automatically accepts all ARP packets and therefore does not subject them to packet filtering. The default setting is enabled (checked).
  • Always accept important ICMP
    When you enable (check) this setting, the system automatically accepts the following ICMP packet types for IPv4, and therefore does not subject them to packet filtering:
    • UNREACH
    • SOURCEQUENCH
    • REDIRECT
    • TIMEXCEED

In addition, the system accepts the following ICMP packet types for IPv6:

    • DST_UNREACH
    • PACKET_TOO_BIG
    • TIME_EXCEEDED
    • PARAM_PROB
    • LISTENER_QUERY
    • LISTENER_REPORT
    • LISTENER_DONE
    • ROUTER_SOLICIT
    • ROUTER_ADVERT
    • NEIGHBOR_SOLICIT
    • NEIGHBOR_ADVERT
    • REDIRECT

The default setting is enabled (checked).

Specifying MAC addresses as exemptions

You can use the MAC Addresses setting to exempt traffic from certain MAC addresses from packet filtering. Possible values are:

  • Always Accept
    When you select this value, a MAC Address List setting appears. You can then specify one or more MAC addresses from which traffic should be exempt from packet filtering.
  • None
    When you select this value, traffic from all MAC addresses is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.

To specify one or more MAC addresses, locate the MAC addresses setting and select Always Accept. Then, in the MAC Address List area, type a MAC address and click Add. Repeat this process for each MAC address that you want the BIG-IP system to exempt from packet filtering.

Specifying IP addresses as exemptions

You can use the IP Addresses setting to exempt traffic from certain IP addresses from packet filtering. Possible values are:

  • Always Accept
    When you select this value, an IP Address List setting appears. You can then specify one or more IP addresses from which traffic should be exempt from packet filtering.
  • None
    When you select this value, traffic from all IP addresses is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.

To specify one or more IP addresses, locate the IP Addresses setting and select Always Accept. Then, in the IP Address List area, type an IP address and click Add. Repeat this process for each IP address that you want the BIG-IP system to exempt from packet filtering.

Specifying VLANs as exemptions

Using the VLANs setting, you can configure the BIG-IP system so that traffic from one or more specified VLANs is exempt from packet filtering. In this case, the system does not attempt to match packets from the specified VLAN or VLANs to any packet filter rule. Instead, the BIG-IP system always accepts traffic from the specified VLAN or VLANs.

For example, if you specify VLAN internal, then no incoming packets from VLAN internal are subject to packet filtering, even if a packet matches the criteria of a packet filter rule.

Possible values are:

  • Always Accept
    When you select this value, a VLAN List setting appears. You can then specify one or more VLANs from which traffic should be exempt from packet filtering.
  • None
    When you select this value, traffic from all VLANs is subject to packet filtering, according to existing packet filter rule criteria. This is the default value.

To specify one or more VLANs, locate the VLANs setting and select Always Accept. Then, in the VLAN List area, select a VLAN name in the Available box and using the Move button (<<), move the VLAN name to the Selected box. Repeat this process for each VLAN that you want the BIG-IP system to exempt from packet filtering.

Creating packet filter rules

Packet filter rules are criteria statements that the BIG-IP system uses for filtering packets. The BIG-IP system attempts to match packet filter rules with an incoming packet, and if a match exists, determines whether or not to accept or reject the packet.

When you create a packet filter rule, you configure several settings, and then you define the criteria that you want the BIG-IP system to use to filter the traffic. To create the rule, you configure the Configuration and the Filter Expression areas of the New Packet Filter Rule screen.

To create a packet filter rule

  1. On the Main tab of the navigation pane, expand Network, and click Packet Filters.
    The Packet Filters screen opens.
  2. Note: If you have not enabled the Packet Filter feature, you can still create a packet filter rule. However, the BIG-IP system cannot use the packet filter rule until you have enabled the Packet Filter feature. For more information, see Enabling packet filtering .

  3. On the menu bar, click Rules.
    A list of any existing packet filter rules displays.
  4. In the upper-right corner of the screen, click Create.
    The New Packet Filter Rule screen opens.
  5. Note: If the Create button is unavailable, you do not have permission to create a packet filter rule. You must have the Administrator role assigned to your user account.

  6. Configure all settings. For more information, see Configuring settings for packet filter rules , following, and Creating a filter expression .
  7. Click Finished.

Configuring settings for packet filter rules

You can configure a number of different settings when you create a packet filter rule. Table 12.3 lists and describes the settings that you can configure. Following the table are sections that provide more detail on each setting.

Table 12.3 Configuration settings for a packet filter rule
Setting
Description
Default Value
Name
Specifies a unique name for the packet filter.
No default value
Order
Specifies a number that you assign to a rule, which determines when the packet filter is processed. Low numbers take priority over higher ones.
No default value
Action
Specifies the action that BIG-IP system should take when a match is found. Possible values are: Accept, Discard, Reject, and Continue.
Accept
Rate Class
Lists one or more existing rate classes that you assign to the packet filter. This setting applies only when you have enabled the rate shaping feature. For more information on rate classes, see the Configuration Guide for BIG-IP® Local Traffic Management.
None
Apply to VLAN
Specifies the incoming VLAN on which the BIG-IP system should search for matches.
* ALL VLANS
Logging
Action that the BIG-IP system takes to record every match that it finds.
Disabled

 

Specifying a name

Using the Name setting, you can specify a unique name for the packet filter rule. This setting is required.

Specifying the order of packet filter rules

You use the Order setting to specify the order in which you want the BIG-IP system to apply existing packet filter rules. This setting is required.

Possible values for this setting are:

  • First
    Select this value if you want this packet filter rule to be the first rule that the BIG-IP system applies.
  • Last
    Select this value if you want this packet filter rule to be the last rule that the BIG-IP system applies.
  • After
    Select this value, and then select a packet filter rule from the list, if you want the system to apply this packet filter after the packet filter that you select from the list. Note that this setting is most useful when you have more than three packet filter rules configured.

Specifying an action

When a packet matches the criteria that you have specified in a packet filter rule, the BIG-IP system can take a specific action. You define this action using the Action setting.

You can choose one of these actions:

  • Accept
    Select Accept if you want the system to accept the packet, and stop processing additional packet filter rules, if any exist. This is the default setting.
  • Discard
    Select Discard if you want the system to drop the packet, and stop processing additional packet filter rules, if any exist.
  • Reject
    Select Reject if you want the system to drop the packet, and also send a rejection packet to the sender, indicating that the packet was refused. Note that the behavior of the system when you select the Reject action depends on how you configured the general packet filter Options property Send ICMP Error on Packet Reject.
  • Continue
    Select Continue if you simply want the system to acknowledge the packet for logging or statistical purposes. Setting the Action value to Continue does not affect the way that the BIG-IP system handles the packet; the system continues to evaluate traffic matching a rule, starting with the next packet filter rule in the list.

Assigning a rate class

Using the Rate Class setting, you can assign a rate class to traffic that matches the criteria defined in a packet filter rule. Note that this setting applies only when you have the rate shaping feature enabled.

The default value for this setting is None. If you previously created rate classes using the rate shaping feature, you can choose one of those rate classes from the Rate Class list.

For more information on rate shaping, see the Configuration Guide for BIG-IP® Local Traffic Management.

Specifying one or more VLANs

You use the Apply to VLAN setting to display a list of VLANs and then select a VLAN or VLAN group name. Selecting a VLAN from the list means that the packet filter rule filters ingress traffic from that VLAN only. For example, if you select the value *All VLANS, the BIG-IP system applies the packet filter rule to all traffic coming into the BIG-IP system.

Similarly, if you select the VLAN internal, the BIG-IP system applies the packet filter rule to traffic from VLAN internal only. The default value is *All VLANS.

If you select the name of a VLAN group instead of an individual VLAN, the packet filter rule applies to all VLANs in that VLAN group.

Enabling or disabling logging

If you want to generate a log message each time a packet matches a rule, you can enable logging for the packet filter rule. With this configuration, you can then display the Logging screen in the Configuration utility and view events related to packet filtering. For more information on logging packet filter events, see Chapter 17, Logging BIG-IP System Events .

Creating a filter expression

To match incoming packets, the BIG-IP system must use a filter expression. A filter expression specifies the criteria that you want the BIG-IP system to use when filtering packets. For example, the BIG-IP system can filter packets based on the source or destination IP address in the header of a packet.

Using the Configuration utility, you can create a filter expression in either of two ways:

  • You can write your own expression, using a Filter Expression box.
  • You can specify a set of criteria (such as source or destination IP addresses) that you want the BIG-IP system to use when filtering packets. When you use this method, the BIG-IP system builds a filter expression for you.

Figure 12.4 lists and describes the Filter Expression settings that you can configure when you want the BIG-IP system to build a filter expression. Note that some of these settings appear on the screen only if you configure other settings in a certain way.

Table 12.4 Filter Expression settings for a packet filter rule
Setting
Description
Default Value
Filter Expression Method
Specifies the manner in which you want to create the actual packet filter rule. Possible values are Build Expression or Enter Expression Text.
Build Expression
Protocols
Specifies that the BIG-IP system is to filter packets received from the specified protocols. If you select Any, the system filters packets from any protocol. If you select Restrict to any in list, the system filters packets from the specified protocols only.
Any
Protocol List
Specifies the protocols to which you want the packet filter to apply. You use the Move buttons (<< and >>) to create or modify the list.
No default value
Source Hosts and Networks
Specifies the source hosts and source networks to which you want the packet filter to apply. If you select Any, the system filters packets from any source host or source network. If you select Restrict to any in list, the system filters packets from the specified source addresses only.
Any
Source Hosts and Networks List
Specifies the source addresses to which you want the packet filter to apply. You use the Move buttons (<< and >>) to create or modify the list.
No default value
Destination Hosts and Networks
Specifies the destination hosts and destination networks to which you want the packet filter to apply. If you select Any, the system filters packets from any destination host or destination network. If you select Restrict to any in list, the system filters packets from the specified destination addresses only.
Any
Destination Hosts and Networks List
Specifies the destination addresses to which you want the packet filter to apply. You use the Move buttons (<< and >>) to create or modify the list.
No default value
Destination Port
Specifies the destination hosts ports to which you want the packet filter to apply. If you select Any, the system filters packets from any destination port. If you select Restrict to any in list, the system filters packets from the specified destination ports.
Any
Destination Port List
Specifies the destination ports to which you want the packet filter to apply. You use the Move buttons (<< and >>) to create or modify the list.
No default value

 

You can have as many rules as you want, limited only by the available memory. Of course, the more statements you have, the more challenging it is to understand and maintain your packet filters.

Managing packet filter rules

Once you have created packet filter rules, you can list them, view or modify their settings, or delete them. You can also view statistics related to packet filters.

Note

Only users with the Administrator user role can manage packet filter rules.

Viewing the list of packet filter rules

Using the Configuration utility, you can view a list of any packet filter rules previously created. The screen that lists existing packet filter rules shows the following information for each packet filter rule:

  • The order in which the system applies the packet filter rule
  • The name of the packet filter rule
  • The action that the BIG-IP system takes based on the criteria defined in the packet filter rule
  • The VLAN traffic to which the packet filter rule applies
  • If rate shaping is enabled, the rate class that applies to traffic that matches the criteria defined in the packet filter rule
  • The logging state (enabled or disabled)

For information on creating packet filter rules, see Configuring settings for packet filter rules .

Use the following procedure to view a list of packet filter rules.

To view the list of packet filter rules

  1. On the Main tab of the navigation pane, expand Network, and click Packet Filters.
    This displays properties for global packet filtering, if packet filtering is enabled.
  2. On the menu bar, click Rules.
    This displays the list of all existing packet filters.

Viewing or modifying packet filter rule settings

You can use the Configuration utility to view or modify the current settings of a packet filter rule. For information on how to initially enable packet filtering and configure the settings for a packet filter rule, see Creating packet filter rules .

To view or modify packet filter settings

  1. On the Main tab of the navigation pane, expand Network, and click Packet Filters.
    This displays properties for global packet filtering, if packet filtering is enabled.
  2. On the menu bar, click Rules.
    This displays the list of all existing packet filters.
  3. Click a packet filter name in the list.
    This displays the settings for that packet filter.
  4. Retain or modify any settings.
  5. Click Update.

Deleting a packet filter rule

You can use the Configuration utility to delete a packet filter rule.

To delete a packet filter rule

  1. On the Main tab of the navigation pane, expand Network, and click Packet Filters.
    This displays properties for global packet filtering, if packet filtering is enabled.
  2. On the menu bar, click Rules.
    This displays the list of all existing packet filters.
  3. Locate a packet filter name in the list.
  4. To the left of the name, check the Select box.
  5. At the bottom of the screen, click Delete.
    A confirmation message appears.
  6. Click Delete again.

Viewing statistics for packet filters

The Configuration utility displays a number, known as a hit count, that increments each time a packet matches the packet filter rule.

To view packet filter statistics

  1. On the Main tab of the navigation pane, expand Network, and click Packet Filters.
    This displays properties for global packet filtering, if packet filtering is enabled.
  2. On the menu bar, click Statistics.
    This displays the main Statistics screen in the Configuration utility.
  3. Using the Data Format list, select either Normalized or Unformatted.
    This displays packet filter statistics, in the chosen display mode.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)